If an initiator submits more immediate data than the size derived from the
SCSI CDB, do not send any R2T to the initiator. This scenario is triggered
by the libiscsi test ALL.iSCSIResiduals.WriteVerify16Residuals if the iSCSI
target driver is modified to discard too large immediate data buffers
instead of trying to parse these as an iSCSI PDU. This patch avoids that a
negative xfer_len value is passed to iscsit_add_r2t_to_list() if too large
immediate data buffers are handled correctly.
Cc: Mike Christie <mchristi@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
else
xfer_len = conn->sess->sess_ops->MaxBurstLength;
}
+
+ if ((s32)xfer_len < 0) {
+ cmd->cmd_flags |= ICF_SENT_LAST_R2T;
+ break;
+ }
+
cmd->r2t_offset += xfer_len;
if (cmd->r2t_offset == cmd->se_cmd.data_length)
lockdep_assert_held(&cmd->r2t_lock);
+ WARN_ON_ONCE((s32)xfer_len < 0);
+
r2t = kmem_cache_zalloc(lio_r2t_cache, GFP_ATOMIC);
if (!r2t) {
pr_err("Unable to allocate memory for struct iscsi_r2t.\n");